API defender for endpoint bad request

Daniel 61 Reputation points
2023-01-19T09:26:56.0766667+00:00

I am trying advanced hunting queries towards the endpoint "[https://api-eu.securitycenter.microsoft.com/api/advancedqueries/run"

The permissions, tokens and app permissions is already configured. The problem now is that some queries give me result back and some give HTTP 400 Bad request.

This query works:

$query = @"
DeviceProcessEvents
|where FileName =~ 'powershell.exe'
|limit 10
"@

These two doesn't work, I get HTTP 400 Bad request back

$query = @"
RegistryEvents | limit 10
"@
$query = @"
SecurityEvent
|where EventID in (4624, 4625)
|where AccountType == 'User'
|summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Amount = count() by LogonTypeName
|extend timestamp = StartTimeUtc
"@

So, what might be the problem? Is it granular permissions that enabled me to check "DeviceProcessEvents" but not "RegistryEvents?

Is it a license issue? We have Microsoft Defender for Endpoint Plan 2.

Is it some kind of syntax issue? I am just copy/pasting these queries from [https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-full-sample-powershell?view=o365-worldwide and [https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/RareProcess_forWinHost.yaml and [https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,214 questions
0 comments No comments
{count} votes

Accepted answer
  1. Givary-MSFT 28,576 Reputation points Microsoft Employee
    2023-01-27T11:27:03.2566667+00:00

    @Daniel Apologies for the delay in reviewing this post, researched on your ask what I can notice is RegistryEvents or SecurityEvent do you have schema defined in your security portal, this query worked - DeviceProcessEvents for you because there is a table defined for the same, (https://security.microsoft.com) below is the screenshot from my portal, would recommend when you run these queries match the tables which within the schema section of your portal and see if this suggestion helps to answer your query.

    Reference:

    [https://learn.microsoft.com/en-us/microsoft-365/security/defender/api-error-codes?view=o365-worldwide#:~:text=by%20angle%20brackets.-,Error%20codes,-Error%20code

    Understand the advanced hunting schema

    User's image

    Let me know if you have any further questions, feel free to post back.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. NickTest 5 Reputation points
    2024-03-21T05:51:43.7333333+00:00

    Hi, I have the same issue with the table IdentityInfo and it exists in the schema. The server response 400 Bad Request while, testing with the table DeviceEvents, the server returns the result as expected

    1 person found this answer helpful.